Thwarting ICMP low-rate attacks against firewalls while minimizing legitimate traffic loss

Kadhim Hayawi, Zouheir Trabelsi, Safaa Zeidan, Mohammad Mehedy Masud

Research output: Contribution to journalArticlepeer-review

8 Citations (Scopus)


Low-rate distributed denial of service (LDDoS) attacks pose more challenging threats that disrupt network security devices and services. Such type of attacks is difficult to detect and mitigate. In LDDoS attacks, attacker uses low-volume of malicious traffic that looks alike legitimate traffic. Thus, it can enter the network in silence without any notice. However, it may have severe effect on disrupting network services, depleting system resources, and degrading network speed to a point considering them as one of the most damaging attack types. There are many types of LDDoS such as application server and ICMP error messages based LDDoS. This paper is solely concerned with the ICMP error messages based LDDoS. The paper proposes a mechanism to mitigate low-rate ICMP error message attacks targeting security devices, such as firewalls. The mechanism is based on triggering a rejection rule to defend against corresponding detected attack as early as possible, in order to preserve firewall resources. The rejection rule has certain adaptive activity time, during which the rule continues to reject related low-rate attack packets. This activity time is dynamically predicted for the next rule activation period according to current and previous attack severity and statistical parameters. However, the rule activity time needs to be stabilized in a manner in order to prevent any additional overhead to the system as well as to prevent incremental loss of corresponding legitimate packets. Experimental results demonstrate that the proposed mechanism can efficiently defend against incremental evasion cycle of low-rate attacks, and monitor rejection rule activity duration to minimize legitimate traffic loss.

Original languageEnglish
Article number9064541
Pages (from-to)78029-78043
Number of pages15
JournalIEEE Access
Publication statusPublished - 2020


  • BlackNurse attack
  • Low-rate attacks
  • Stateful firewall
  • attack probabilistic modeling
  • session table

ASJC Scopus subject areas

  • General Computer Science
  • General Materials Science
  • General Engineering


Dive into the research topics of 'Thwarting ICMP low-rate attacks against firewalls while minimizing legitimate traffic loss'. Together they form a unique fingerprint.

Cite this